Introduction
This article describes an update to add support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Embedded Compact 2013.
This update adds the required support for code signing Cryptographic binaries by using SHA256 hash values and updated Windows CE Cryptographic Service Provider signature thumbprint.
Summary
Enable TLS 1.1 and TLS 1.2
By default, TLS 1.1 and 1.2 are enabled when the Windows Embedded Compact 2013 device is configured as a client by using browser settings. The protocols are disabled when the Windows Embedded Compact 2013 device is configured as a web server.
In the following sections, we discuss the registry keys that you can use to enable or disable TLS 1.1 and TLS 1.2.
TLS 1.1
The following subkey controls the use of TLS 1.1:
HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.
Note To enable and negotiate TLS 1.1, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.
TLS 1.2
The following subkey controls the use of TLS 1.2:
HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.
Note To enable and negotiate TLS 1.2, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.
Warning The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential.
Note Per the Request for Comments (RFC), the design implementation does not allow SSL2 and TLS 1.2 to be enabled at the same time.
More Information
The following sections provide additional details about TLS 1.1 and 1.2.
Cipher Suites supported by TLS 1.2 only
The following newly added cipher suites are supported by TLS 1.2 only:
-
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
-
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
-
TLS_RSA_WITH_NULL_SHA256
-
TLS_RSA_WITH_AES_128_CBC_SHA256
-
TLS_RSA_WITH_AES_256_CBC_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
grbitEnabledProtocols
(Optional) This DWORD contains a bit string that represents specific protocols. The protocols are supported by connections that are made by using credentials that are acquired by using this structure.
The following table shows the additional possible flags this member can contain.
Value |
Description |
SP_PROT_TLS1_2_CLIENT |
Transport Layer Security 1.2 client-side. |
SP_PROT_TLS1_2_SERVER |
Transport Layer Security 1.2 server-side |
SP_PROT_TLS1_1_CLIENT |
Transport Layer Security 1.1 client-side. |
SP_PROT_TLS1_1_SERVER |
Transport Layer Security 1.1 server-side |
SecBufferhttps://docs.microsoft.com/en-us/previous-versions/windows/embedded/ee498790(v%3dwinembedded.80)
BufferType
This set of bit flags indicates the type of buffer. The following table shows the additional available flags for TLS 1.2:
Flag |
Description |
SECBUFFER_ALERT |
The buffer contains an alert message. |
SecPkgContext_ConnectionInfohttps://docs.microsoft.com/en-us/previous-versions/windows/embedded/ee497983(v%3dwinembedded.80)
dwProtocol
This designates the protocol that is used to establish this connection. The following table shows additional valid constants for this member:
Value |
Description |
SP_PROT_TLS1_2_CLIENT |
Transport Layer Security 1.2 client-side. |
SP_PROT_TLS1_2_SERVER |
Transport Layer Security 1.2 server-side |
SP_PROT_TLS1_1_CLIENT |
Transport Layer Security 1.1 client-side. |
SP_PROT_TLS1_1_SERVER |
Transport Layer Security 1.1 server-side |
Microsoft Windows CE Cryptographic Service Provider Signature thumbprint
The Microsoft Windows CE Cryptographic Service Provider Signature thumbprint is updated in Windows Embedded Compact 2013. The period of validity for the code signing certificate is changed as follows.
Old period of validity
02/15/2017 - 05/09/2018
New period of validity
09/06/2018 - 09/06/2019
Software update information
Download information
The Windows Embedded Compact 2013 Monthly Update (October 2018) is now available from Microsoft. To download this update, go to Microsoft OEM Online or MyOEM.
Prerequisites
This update is supported only if all previously issued updates for this product have also been installed.
Restart requirement
After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:
-
On the Build menu, select Clean Solution, and then select Build Solution.
-
On the Build menu, select Rebuild Solution.
You do not have to restart the computer after you apply this software update.
Update replacement information
This update does not replace any other updates.
References
Learn about the terminology that Microsoft uses to describe software updates.